From owner-freebsd-security@FreeBSD.ORG Thu Nov 13 02:37:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BB8F16A4CE for ; Thu, 13 Nov 2003 02:37:58 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9BB7243FDF for ; Thu, 13 Nov 2003 02:37:56 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 11438 invoked from network); 13 Nov 2003 10:36:37 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 13 Nov 2003 10:36:36 -0000 Received: (qmail 76021 invoked by uid 1000); 13 Nov 2003 10:37:51 -0000 Date: Thu, 13 Nov 2003 12:37:51 +0200 From: Peter Pentchev To: FreeBSD Security List Message-ID: <20031113103751.GM453@straylight.oblivion.bg> Mail-Followup-To: FreeBSD Security List References: <20031113102619.GB58969@users.munk.nu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DrWhICOqskFTAXiy" Content-Disposition: inline In-Reply-To: <20031113102619.GB58969@users.munk.nu> User-Agent: Mutt/1.5.5.1i Subject: Re: Apache leaks sensitive info in PHP phpinfo() calls X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 10:37:58 -0000 --DrWhICOqskFTAXiy Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 13, 2003 at 10:26:19AM +0000, Jez Hancock wrote: > Hi, >=20 > I wanted to get some opinions on this subject before I submit a PR about > it. I don't know if there are any pitfalls with the 'fix' I suggested > and though it best to run it past people here before submitting. If > there's a better place to post this please let me know (freebsd-ports?). >=20 > The send-pr output I was about to send explains everything so I'll just > paste it here: [snip] > The apache13 port control script /usr/local/sbin/apachectl is used to > control the apache httpd daemon. However the apachectl script does not > start with a clean environment, inheriting the environment of the user > that invokes the script. As a consequence the environment variables set > by the shell of the user that invokes apachectl (usually a UID 0 user) > are visible to users when executing a command such as phpinfo() in the > PHP $_ENV superglobal array. [snip] > HTTPD=3D/usr/local/sbin/httpd > - HTTPD=3D`echo /usr/bin/env -i $HTTPD` This would be a nice solution; by the way, the problem is not limited to PHP - it extends to any and all server-side scripting components/languages, including plain vanilla CGI executables, mod_perl, and many more. I wonder if this should not be brought up with the Apache developers though - it is not really FreeBSD-specific, and a fix to the FreeBSD port would not address the same problem in any of the other environments that Apache supports :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 =2Esiht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI --DrWhICOqskFTAXiy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/s17/7Ri2jRYZRVMRAjjOAJ9zd8N5AumdeOqOeRFk+6aITDSflACeK0o9 6mBV95jMVu+q2Xenz6ySi4w= =+JYh -----END PGP SIGNATURE----- --DrWhICOqskFTAXiy--